Enterprise DLP

as a Program -
Phase 1: Project
Charter

Whitepaper
Enterprise DLP as a Program - Phase 1: Project Charter

Introduction
Deploying and integrating Enterprise Data Loss Prevention (DLP) then ensuring it becomes a
programmatic piece of your overall security strategy requires planning. You need a vendor that
understands how to structure the roll-out such that at the end of it, your Enterprise DLP is in
synch with the business operations and the team knows their role in the program. To do this, a
multi-phased approach is required. The six phases of deployment are:

1. Pre-deployment 4. Policy development & deployment

2. Data usage discovery & visibility 5. User education
3. Risk assessment 6. Data protection as a program

Building the Charter

Programmatic Success Factor > Set Yourself up to Succeed
The goal of the pre-deployment phase is to ensure organizations are best set up for success in
their data protection program roll-out, regardless of whether they are self-managing or relying
upon a 3rd party, managed security program. To best accomplish that you’ll need to know what
is important to you, your team, and your business. Enterprise-wide collaboration will
put your team in the best position for success. This means understanding the business
objectives, information security goals, core use cases, information security team capabilities, and
corporate strategy. With all this you can better establish a realistic project timeline.

On-Premises vs SaaS vs Managed

Enterprise DLP has evolved from a single deployment option,
on-premises and self-managed, to Software as a Service
(SaaS) and now includes fully managed offerings. Your
business needs and capabilities will drive you towards one
of these. On-premises deployments give you the absolute
highest degree of control, but at the tradeoff of additional
expense and complexity. SaaS offerings remove the additional
HW, SW, and staff to manage while managed offerings go one
step further and reduce the need for security experts on staff.
Depending on which you chose, there will be variations in the
phases, mainly who is driving the project, but the overall goals
will remain the same.

• In an on-premises deployment your team owns every aspect of the Enterprise DLP program.
This means not only the DLP SW, but the underlying technical infrastructure that includes
servers and databases. Also required is a technical staff, both information technology and
information security to manage and maintain the entire technology stack.
• In a SaaS deployment, the vendor is your backup and will support you as you build out
the Enterprise DLP program and make it part of your security strategy. They maintain the

www.digitalguardian.com White Paper | 2

Enterprise DLP as a Program - Phase 1: Project Charter

technology infrastructure that powers the Enterprise DLP, but your team owns the day to day
operations. At the time of handoff, you should be experienced with the platform and ready to
incorporate your DLP program into your business operations.
• In a managed deployment, the vendor is the lead, relying on input from your team to give
them the business knowledge to deliver and manage your data protection program. At the
time the program goes live, the vendor must understand your business and what data is
paramount to success.

Whether you manage it or not, cloud-based infrastructure is here to stay, and in most cases
should be the first choice. Analyst firms like Gartner and Forrester recommend security leaders
should consume more tools via SaaS. Going so far as saying if your DLP vendor isn’t in the cloud
ask why, or look elsewhere. Leverage your security teams for security, rather than managing and
maintaining the platform.

Technical Environment
A detailed understanding of your environment will be part of this phase. Review the applications,
operating systems, types of data (PHI, PCI, PII, IP, etc.), enterprise locations, and how this may
evolve in the short to medium term.

• Windows continues to be the most dominant Operating System

(OS) in use, though if you have Linux or Mac machines in your
environment you will need a DLP solution that can address that.
In a mixed environment Windows is the bulk of the machines, but
Linux and Mac often hold a disproportionate share of sensitive
data. Executives Macs may access or create strategic documents
and Engineering on Linux may have source code or product
roadmaps. You should document the full breadth of the OSs and
what sensitive data is likely found on each. During Phase 1 – Data
Usage Discovery & Visibility, theoretical and reality will be compared.

• Applications within an organization are what deliver insights, drive

value, and enable businesses. All of them must be deployed to
maximize security without impacting usability. During the pre-
deployment phase, document and prioritize the sanctioned
applications, but also leverage technology to discover the
unsanctioned applications that inevitably appear as businesses
evolve. With the sanctioned and known applications, discuss the
expected workflows, note where sensitive data is moving, stored,
and accessed along with who the expected or approved users are.
For unsanctioned applications, establish criteria for what risk is acceptable and what actions
to take when that threshold is exceeded. A comprehensive list of all applications, both
sanctioned and unsanctioned will be your baseline.

www.digitalguardian.com White Paper | 3

Enterprise DLP as a Program - Phase 1: Project Charter

• Broadly speaking, there are two types of data, regulated and

unregulated. Regulated data is subject to compliance rules or
laws such as PCI-DSS, GDPR, and HIPAA. There is a 3rd party
that outlines what is regulated, how it must be protected, and
the repercussions for non-compliance. Unregulated data is more
nebulous, and can be seen as everything else, but within that more
classification helps bring order. Internal only or confidential data is
intellectual property (IP) you would protect from external viewers
while public data is open for all to access. Nearly every organization
has a blend of both types, Enterprise DLP must find, understand and protect it all. Document
the compliance regulations you are held accountable to and what IP your business relies
upon.

Using the OS, application, and data types build and test agents and agent deployment
throughout your environment. This test will verify compatibility and deployability while uncovering
for any conflicts or workflow disruptions. Based on this limited test, any modifications can be
further re-tested before enterprise wide deployment.

This information combined with the results of Phase 2 – Data Usage Discovery & Visibility
and Phase 3- Risk Assessment will serve as the basis for Phase 4 – Policy Development &
Deployment.

Roles & Responsibilities

Your team should also outline where the responsibilities lay for the program to ensure you and
the vendor understand what is under their control and what is managed by your team. This is
significant if you opt for a 3rd party managed service, make note of what is and isn’t in their SLA.
Educate your team on the support options for the inevitable questions that arise during any
phase of your roll-out or after you are live with you DLP. Rapid resolution of issues can keep the
program on track, especially during the early, learning period.

On your team the responsibilities range from the executive sponsor to the security team member
with hands on the DLP platform. Depending on the size of your team, it is possible one person
may cover multiple roles. If General Data Protection Regulation (GDPR) is part of your regulatory
compliance program a Data Protection Officer (DPO) will be a required program stakeholder. He
or she will oversee the data protection strategy to ensure compliance with this regulation.

A business or data analyst will rely on his or her knowledge of the business processes and how
they align with security needs to identify use cases. Information Technology and Information
Security leader(s) bring the knowledge of the technology infrastructure and the existing security
policies. He or she will be the escalation point for any support or troubleshooting that the day to
day contact is unable to resolve.

The final role is the DLP administrator(s), this is the person that will have the most direct contact
with the data protection platform. He or she needs an understanding of the security architecture

www.digitalguardian.com White Paper | 4

Enterprise DLP as a Program - Phase 1: Project Charter

and strategy and can translate that into the policies and rules. He or she will have full
administrative access to the platform to change security parameters as needed. All these roles
must communicate and coordinate during the pre-deployment phase and into the programmatic
phase to support successful Enterprise DLP.

The vendor team should work closely with your team to ensure a smooth roll-out and seamless
transition to the operational phase of your data protection program. In addition to the account
manager you have worked with up to this point you should be paired with a program manager,
he or she will be the main point of contact and has overall ownership of the project and
responsibility for its success. Behind him or her will be multiple technical experts, each of whom
will use their OS, application, policy deployment, or other knowledge to develop and deploy your
DLP to most closely align with your business.

Timeline

Timeline
Increasing User Case Coverage

Data protection
as a program

User
education
Policy
development &
deployment
Risk
assessment
Data usage
discovery &
visibility

Pre-deployment

Initial Tactical Deployment Ongoing Strategic Enterprise Housekeeping

Your business runs on a timeline, your Enterprise DLP program roll-out also needs a timeline.
It allows you and your team to align the phases with the business calendar and keep the
project moving from kick off to go live. With the team of stakeholders identified, the technical
environment documented, the uses cases defined, you are better able to determine when you
can transition from deployment to operation. The timeline will include the tasks, dates, expected
duration, owner, and output of each phase. Business leadership should be kept apprised of the
progress, documenting wins along the way. While every program is different, look for a vendor
with broad DLP experience to call upon to compress the timeline and meet your business goals.

www.digitalguardian.com White Paper | 5

Enterprise DLP as a Program - Phase 1: Project Charter

Digital Guardian Pre-Deployment

Whether you choose SaaS or our Managed Security Program (MSP) Digital Guardian’s team of
security experts will guide you through the pre-deployment process. Digital Guardian has been
making DLP successful in data rich companies, including regulated data and intellectual property
focused for over 15 years. In that time, we have developed and refined our processes to help
you and your team get operational quickly and integrate DLP into the operating rhythm of the
business. We’ll collaborate with your team and the entire business to understand what data
matters most and how it needs to move for your business to grow.

Conclusion
When you combine the various elements such as data usage discovery & visibility, operating
systems, applications, use cases, and other business factors, you can build out the project
charter. With the business leaders and the information security team in alignment on this charter,
you can scope out the project and put together a timeline from kick off to operational. You and
your chosen vendor can be working towards a common goal, and if any questions arise your
project charter is a resource to look back upon for reference.

CORPORATE HEADQUARTERS
275 Wyman St., Suite 250
Waltham, MA 02451 USA
[email protected]
781-788-8180
www.digitalguardian.com SHARE

Copyright © 2019 Digital Guardian, Inc. All rights reserved. Digital Guardian and Security’s Change Agent are trademarks of Digital Guardian, Inc. in the
U.S. and other countries. All other trademarks are the property of their respective owners.